Password Management Software?

[photon]

Yeah just saw that. Crazy.

[Izzle]

Quote:

Originally Posted by ah123

If anyone uses LastPass, time to change your passwords

https://arstechnica.com/information-...customer-info/

I have last pass. Should we be updating each individual password inside as well as the master password to access last pass itself?

[kermitology]

It’s more of a privacy breach. Your passwords on their own, they’re safe unless your master password is simple.

[Izzle]

Quote:

Originally Posted by kermitology

It’s more of a privacy breach. Your passwords on their own, they’re safe unless your master password is simple.

I see. I only have passwords saved there for various websites. So the hackers now know I bank with RBC?

[kermitology]

Yep

[Izzle]

Quote:

Originally Posted by kermitology

Yep

But that's the extent of it. They wouldn't know my password to RBC?

[photon]

Not unless they can guess the master password to your password safe, which should be something both complex and unique. If they guess that then they've got all your passwords for everything.

[Inglewood Jack]

Quote:

Originally Posted by Izzle

But that's the extent of it. They wouldn't know my password to RBC?

Even if they crack your vault and get your RBC password, you’ve got MFA turned on for your bank and all other important accounts right?

[Izzle]

Quote:

Originally Posted by Inglewood Jack

Even if they crack your vault and get your RBC password, you’ve got MFA turned on for your bank and all other important accounts right?

Yup I do. And I haven't saved any of those answers in lastpass.

[GoinAllTheWay]

Hopefully have MFA turned on for LP too.


I've really got to get off the app based MFA, anyone here using Yubikey? I've heard mixed reviews with them but as far as I can tell, it's the best form of MFA you can get atm.

[taxbuster]

Quote:

Originally Posted by GoinAllTheWay

Hopefully have MFA turned on for LP too.


I've really got to get off the app based MFA, anyone here using Yubikey? I've heard mixed reviews with them but as far as I can tell, it's the best form of MFA you can get atm.

Yes. Yubikey FTW!

I do use them in a few different manners:

- with the Yubico Authenticator ("YA")....so several copies of YA on phones, PCs wherever and multiple Yubikeys ("YK") all "recognized" by YA. So, if I lose a phone or a PC craps out ANY OTHER YA will still work. Essentially these back up each other as they are redundant copies.

- in Windows Hello....MUST insert a YK to boot to OS. If no key...no access to the (encrypted of course) OS.

- as a sole identifier: so, if adding (say) 1Password to a new machine, not only do I need to supply the various requirements of 1P, but the 2FA from a YK as well in order to install it and make it effective.

When we travel, my wife has a spare YK that can access everything on her key ring in case one of my usual copies gets lost. As well....a backup at a secure location of course.

Can be a bit confusing at times, but worth the effort in the learning curve.

Start with things that "don't matter" in order to test.

[Inglewood Jack]

Quote:

Originally Posted by Izzle

Yup I do. And I haven't saved any of those answers in lastpass.

account verification or password recovery Q&A is not the same as MFA. the F in MFA are the different factors, which is usually something you know (password) plus something you have (device).

RBC has MFA via the phone app, it's a simple approval button, no code typing required. they only added this within the last couple of years though, which is way too late for a big bank. I assume all other Canadian banks have similar options.

[Izzle]

Quote:

Originally Posted by Inglewood Jack

account verification or password recovery Q&A is not the same as MFA. the F in MFA are the different factors, which is usually something you know (password) plus something you have (device).



RBC has MFA via the phone app, it's a simple approval button, no code typing required. they only added this within the last couple of years though, which is way too late for a big bank. I assume all other Canadian banks have similar options.

I see. I have RBC set up where it will text me a code, which I then enter into the app.

Other websites that I usually frequent have something similar. Either they text me a code or they email me after I put in my password. I typically use my phone to access my email for the code. When I access Gmail on the computer, my android phone asks me to click "yes, it's me" before giving me access to Gmail on the computer.

[taxbuster]

Quote:

Originally Posted by Izzle

I see. I have RBC set up where it will text me a code, which I then enter into the app.

Other websites that I usually frequent have something similar. Either they text me a code or they email me after I put in my password. I typically use my phone to access my email for the code. When I access Gmail on the computer, my android phone asks me to click "yes, it's me" before giving me access to Gmail on the computer.

The problem with the "texted code" syndrome is that it is the cheapest form of what they like to call Multi-Factor Authentication. It is known better as Two-Step Authentication...and is considerably at risk to a SimSwap.

As soon as someone performs a SimSwap on your phone account they have access to your actual phone number...and any code sent to it. So if your PC (or phone) get compromised, and then the attacker swaps sims....you're pooched. Banks don't care....they'll blame you and leave you to hang.

An Authenticator App is certainly better than a texted code...for anything.

Another approach is to start an account at voip.ms and create an SMS account that is NOT attached to your phone, and which can either send an message to your email or another phone (or both). I have friends doing this while out of the country without regular phone access.

And, FWIW, TD has finally issued an Authenticator App as well for their regular banking. Some banks ARE wising up.

[Hemi-Cuda]

My primary bank is Scotiabank and their mobile app acts as an authenticator as well, requiring you to approve any sign-in on an unrecognized device. I use the Google Authenticator for my Bitwarden master password, everything else is minor enough that I'm fine with SMS 2-step auth

[GoinAllTheWay]

Quote:

Originally Posted by Inglewood Jack

they only added this within the last couple of years though, which is way too late for a big bank.

Agreed. RBC can be frustratingly slow with things like this. And before that, they had to push their own wallet instead of just being part of google or apple pay.



Glad they finally got around to providing something like this. Better late than never but it was starting to look like never for a while there.


Shaw needs to get on this too for that matter, still screwing around with email or text based MFA.

[photon]

Quote:

Originally Posted by taxbuster

And, FWIW, TD has finally issued an Authenticator App as well for their regular banking. Some banks ARE wising up.

Hoping BMO does this soon.

[darockwilder]

Has anyone used Microsoft Authenticator as a password manager?

Also, I find the RBC authenticator doesn't seem to function properly when I try to log in at work. I have to use the text option basically every time. It happens at home occasionally too, but it used to work fine everywhere. Just this year it seems to have started to be flaky.

[taxbuster]

But...why? It integrates on a phone only with Safari. Not sure it's easy to set up on multiple locations (eg desktop PC, phone, laptop, spouse's PC or phone).

1password.ca does all of that - and hosts its data only in Canada. Also a Canadian company. Integrates with pretty much all browsers. Generates its own TOTP codes if desired. Shares access to all, or only specific, vaults.

Yea, it costs a few bucks. But why use a deficient product instead? (Honest question BTW...not crabbing at you!)

[taxbuster]

Quote:

Originally Posted by darockwilder

Also, I find the RBC authenticator doesn't seem to function properly when I try to log in at work. I have to use the text option basically every time. It happens at home occasionally too, but it used to work fine everywhere. Just this year it seems to have started to be flaky.

Check your time settings. If your time is off, TOTP won't work well. Or at all.